Skip to main content

Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery

Notes

Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events http://support.microsoft.com/default.aspx?kbid=174073

-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714

-More security Events http://support.microsoft.com/kb/174074/

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Files

- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes

Scheduled commands

- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks

File Signatures

- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension

- a good list of file headers http://www.techpathways.com/uploads/headersig.txt

File Times(MAC Times, Modified Accessed Created)

- C:\>dir /ta ----> lists in order last accessed

- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/

- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog

FileBinding-

- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/

- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt

ADS(Alternate Data Stream)

- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm

- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html

- the best way to remove an ADS is to copy the file, delete the old, and rename

- ADS can also be created as directories ---> echo "FooBar" > :ads.txt

- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe

- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also

- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt

Registry Hiding

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp

Document Metadata

- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html

- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en

OLE Storage

-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23

Steganography

- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)

- Hydan is also popular http://www.crazyboy.com/hydan/

Windows Server Port List

- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

NTFS Conversion

- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\

NSA Templates

- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1

GPO settings

- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Login Restrictions

- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739

IIS Application mappings

- using the MMC, bring up application mappings and disable all uneccessary mappings

- IIS Lockdown and URLscan can provide additional security for ISS servers

Windows File Protection

- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache

- the cmd line utility sfc can be used to replace modified files

Perl lib Win32::AdvNofity

- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/

Patch Management

- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1

Web Vulnerability Assessment

- Free tools available at http://www.ntobjectives.com/freeware/index.php

Centralized Logging

- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)

- port reporter provides mapping logs http://support.microsoft.com/?id=837243

Volatile Information Recovery

- C:\>date /t && time /t , recovers system date and time for comparision

- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals

- psloggedon.exe from sysinternals shows remote and local logged on users

- netusers.exe from somarsoft will also show previously logged on users with the /h switch

- C:\>net session will displya any active remote connections

- C:\>net use * \\\c$ /u:Administrator , to remote log on

- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree

- listdlls.exe from sysinternals will give you version information along with the command used to start the process

- handle.exe from sysinternals lists out everything the process is accessing

- c:\>tasklist /svc native to XP lists out processes along with window title information

- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx

- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Remote Shell

- Net use \\machine\ipc$ /user:machine\administrator

- psexec \\machine cmd

Process Info Guidelines, at minimum collect the following:

-Process identifiers (PIDs) for each process running on the system (provided by most all tools)

-Process name (provided by most all tools)

-Length of time the process has been running (pslist.exe)

-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)

-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)

-User context that each process runs under (handle.exe, pulist.exe)

-Services running under each process (tlist.exe, tasklist.exe)

Additionally, the investigator will also want to collect the following:

-Handles used by each process (handle.exe)

-Modules (DLLs) used by each process (listdlls.exe)

Process Memory

- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID

- dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents

- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096

Network Stat & Connections

- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally

- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant

- on XP or newer, netstat -ano, the -o option lists the PID

- nbtstat -s, lists current netbios over tcpip sessions

- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process

- net use lists out all shares currently mapped

- net share lists out all resource shared out on the system

- net session lists active SMB sessions made to the system over the network

- net file lists out any files in use by an active net session

Clipboard info

-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT

Command History

- C:\> doskey /history will show command line history

Service & Drivers

- net start will list all services running but not device drivers

- sc.exe from resource kit and native on XP or newer

- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info

GPO settings

- can be used to determine how a system was compromised is settings were changed

- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system

- GPResult.exe from Resouce kit shows settings of current user only

Protected Storage

- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS

MAC Information

- dir with /tw , /ta. /tc will give specific mac time information

- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period

File permissions

- cacls, native to windows, will show permissions of any given file

File integrity

- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you

Recycle Bin Analysis

- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file

Registry Analysis

- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line

- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware

- keytime.pl from the book will show last write times for any given registry key

User Accounts

- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed

- last logon, time created, # of logins, and permissions will all be useful information

Event Logs

- Auditpol.exe from RK can be used to verify the level of logging set on the system

- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data

- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely

File Analysis

- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex

- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter

- ms has a dll lookup online http://support.microsoft.com/dllhelp/

- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies

- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/

- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary

- you can view pdf metadata by using Adobe Reader, FILE | Document Properties

CA Identity Theft Law(SB 1386) - affects all companies doing business in CA

- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Know What To Look For

- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)

Infection Vectors

- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords

Malware Footprints

- often leave new files and directories

- added to startup C:\Documents and Settings\\Start Menu\Programs\Startup

- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs

- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks

- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"

- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon

- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command

- original value "%1"%*, other extension modified are .bat, .com, or .txt

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too

- Shell should be set to "Explorer.exe"

- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated

- malware can often be set up as a windows service, using srvany.exe (resource kit)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1

- example C:\>path\instsrv.exe path\srvany.exe, by editing the following registry entry

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable

Rootkits

- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com

- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory

- kernel-mode rootkit overides the TCB and hooks into all system calls

- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)

- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install ), can run on any port(default 7070)

- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.

- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl

- the clean cmd.exe should be placed in the root directory of the CD-rom

- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off
Scanners

- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15 ; will display open ports on given range.

- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;

- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099

Sniffers

- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS
- windump is another w32 tcpdump; http://www.winpcap.org/windump/docs/manual.htm

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...